b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nAudit Report\n\nManagement of Los Alamos National\nLaboratory\'s Cyber Security Program\n\n\n\n\nDOE/IG-0880                          February 2013\n\x0c                                  Department of Energy\n                                    Washington, DC 20585\n                                        February 11, 2013\n\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "Management of Los Alamos\n                         National Laboratory\'s Cyber Security Program"\n\nINTRODUCTION AND OBJECTIVE\n\nThe Los Alamos National Laboratory (LANL), operated by the National Nuclear Security\nAdministration on behalf of the Department of Energy, is one of the world\'s largest multi-\ndisciplinary laboratories and is primarily responsible for helping to ensure the safety and\nreliability of the Nation\'s nuclear stockpile as part of the Department\'s Stockpile Stewardship\nProgram. In addition, the Laboratory is a major contributor to the energy, defense,\nsupercomputing and basic science research missions of the Department. To accomplish program\ngoals and objectives, LANL operates and manages numerous information systems and networks\nto support the research, business and communication needs of its users. Although LANL spends\na significant amount of funds on information technology (IT) activities, we were unable to obtain\nan accurate amount due to the Laboratory\'s limited ability to track its IT spending.\n\nPrior Office of Inspector General reviews identified weaknesses related to LANL\'s IT program.\nFor instance, findings in the Special Inquiry Report on Selected Controls over Classified\nInformation at the Los Alamos National Laboratory (OAS-SR-07-01, November 2006) revealed\nthat critical cyber security internal controls and safeguards were not functioning as intended and\nmonitoring by both laboratory and Federal officials was not adequate. In addition, past\nevaluations supporting our Federal Information Security Management Act of 2002\nresponsibilities have identified weaknesses with LANL\'s cyber security program. In that\nconnection, we initiated this audit to determine whether LANL effectively managed its cyber\nsecurity program.\n\nRESULTS OF AUDIT\n\nLANL had taken steps to address concerns regarding its cyber security program raised in prior\nevaluations. Our current review, however, identified continuing concerns related to LANL\'s\nimplementation of risk management, system security testing and vulnerability management\npractices. In particular:\n\n   \xe2\x80\xa2   LANL had not always developed and implemented an effective risk management process\n       consistent with Federal requirements. For instance, system-level risk assessments did not\n\x0c                                                 2\n\n\n       always provide details regarding vulnerabilities and threats. Even though specifically\n       required, risk assessments did not consider or evaluate how combinations of\n       vulnerabilities and threats could increase the overall risk to an information system.\n\n   \xe2\x80\xa2   LANL had not always ensured that it had developed, tested and implemented adequate\n       controls over its information systems. For example, LANL had only tested a small\n       fraction of the required security controls during the most recent authorization period for\n       two of the seven national security systems and the one unclassified system that we\n       reviewed. Further, LANL\'s testing was not always adequate to ensure that controls\n       and/or control enhancements were functioning as designed.\n\n   \xe2\x80\xa2   Critical and high-risk vulnerabilities had also not always been properly addressed.\n       Notably, we identified issues during scans of both national security and unclassified\n       systems. For example, we identified 5 critical and 15 high-risk weaknesses on the 4\n       national security systems scanned, some of which dated back to 2008. Similarly,\n       vulnerabilities related to patch management, access controls and system integrity of web\n       applications were identified on certain unclassified systems we tested.\n\nThe issues identified occurred, in part, because of a lack of effective monitoring and oversight of\nLANL\'s cyber security program by the Los Alamos Site Office, including approval of practices\nthat were less rigorous than those required by Federal directives. For instance, the Los Alamos\nSite Office permitted the Laboratory to test only a limited set of security controls when\nreauthorizing systems to operate, resulting in a number of critical/required controls not being\ntested. In addition, we found that LANL\'s Information Technology Directorate had not followed\nNNSA policies and guidance for assessing system risk and had not fully implemented the\nLaboratory\'s own policy related to ensuring that scanning was conducted to identify and mitigate\nsecurity vulnerabilities in a timely manner.\n\nWhile additional action is needed, we found that LANL had made significant improvements to\nits cyber security program in recent years. Specifically, LANL improved the protection of\nnational security systems and data through the elimination or disablement of data ports on\nmachines containing classified information and ensured that incompatible security personnel\nfunctions were segregated and related compensating controls were in place and operational.\nLANL also segregated vulnerable computers and equipment no longer supported by vendors\nfrom the rest of the unclassified computing environment.\n\nWithout further improvements to its cyber security program, however, LANL\'s systems remain\nat a higher than necessary risk of compromise. Specifically, LANL\'s transition to a Risk\nManagement Framework, which is heavily reliant on continuous monitoring, could be hindered\nby the issues identified in our report, including a lack of understanding by responsible\nindividuals as to the totality of risks associated with the systems. Furthermore, without effective\nvulnerability scanning and remediation of identified weaknesses, LANL\'s unclassified and\nnational security networks face a higher than necessary risk of compromise. In light of the\nweaknesses identified, we made several recommendations that, if fully implemented, should aid\nthe site in implementing its risk management and continuous monitoring processes.\n\x0c                                              3\n\n\nMANAGEMENT REACTION\n\nNNSA management concurred with the report\'s findings and recommendations and agreed to\ntake necessary corrective actions. Management\'s formal comments are included in their entirety\nin Appendix 3.\n\nAttachment\n\ncc:   Deputy Secretary\n      Acting Under Secretary for Nuclear Security\n      Chief Information Officer\n      Chief of Staff\n      Chief Health, Safety and Security Officer\n\x0cREPORT ON MANAGEMENT OF LOS ALAMOS NATIONAL\nLABORATORY\'S CYBER SECURITY PROGRAM\n\n\nTABLE OF\nCONTENTS\n\n\nCyber Security\n\nDetails of Finding ............................................................................................................................1\n\nRecommendations and Comments ...................................................................................................7\n\n\nAppendices\n\n1. Objective, Scope and Methodology ...........................................................................................9\n\n2. Prior Reports ............................................................................................................................11\n\n3. Management Comments ..........................................................................................................13\n\x0cMANAGEMENT OF LOS ALAMOS NATIONAL LABORATORY\'S\nCYBER SECURITY PROGRAM\n\nPROGRAM          The Los Alamos National Laboratory (LANL) made significant\nIMPROVEMENTS     improvements to its cyber security program in recent years. For\n                 instance, in response to our Special Inquiry Report on Selected\n                 Controls over Classified Information at the Los Alamos National\n                 Laboratory (OAS-SR-07-01, November 2006), LANL improved\n                 the protection of systems and data through the elimination or\n                 disablement of data ports on machines containing classified\n                 information. LANL also worked to ensure that incompatible\n                 security personnel functions were segregated and related\n                 compensating controls were in place and operational. In addition\n                 to the actions taken in response to our previous report, site officials\n                 worked to reduce risk by segregating vulnerable computers and\n                 equipment no longer supported by vendors from the rest of the\n                 unclassified computing environment. Site officials also worked\n                 over the past year to remediate certain vulnerabilities identified\n                 during our Fiscal Year (FY) 2011 Federal Information Security\n                 Management Act of 2002 (FISMA) evaluation. In preliminary\n                 comments on our draft report, Los Alamos Site Office officials\n                 stated that they had taken measures to resolve weaknesses\n                 identified during the course of our audit work. However, we were\n                 unable to validate these recent corrective actions due to the timing\n                 of our audit work.\n\nManaging         While the corrective actions we validated are significant and\nCyber Security   noteworthy, our audit work found that additional actions are\n                 necessary before LANL can successfully shift its efforts to a\n                 continuous monitoring process. In particular, we identified\n                 problems with certain elements necessary to support an effective\n                 monitoring process.\n\n                                           Risk Management\n\n                 LANL had not always developed and implemented an effective\n                 risk management process consistent with Federal requirements.\n                 Specifically, system-level risk assessments did not always include\n                 sufficient detail about specific areas of threats and/or\n                 vulnerabilities. For example, two of the eight risk assessments\n                 reviewed did not provide adequate details regarding the\n                 vulnerabilities and threats to support effective decision-making.\n                 Further, the assessments did not consider combinations of\n                 vulnerabilities and threats that may have increased risks to the\n                 systems.\n\n                 We learned that officials relied solely on reports generated by\n                 LANL\'s Rapid Assessment Process to Outline Risk (RAPTOR)\n\n\n\nPage 1                                                             Details of Finding\n\x0c         tool to assess system risk during the 2008 accreditation process.\n         While the tool was designed to enhance the risk management\n         process, it was brought to the site\'s attention during an external\n         evaluation that there were flaws in the way risks were determined\n         during the process. The use of RAPTOR was discontinued\n         because it only analyzed individual threats and not how threats\n         were correlated. In addition, the process did not consider whether\n         the system would be subject to additional threats or vulnerabilities\n         in the overall operating environment. However, during the recent\n         reaccreditation process, LANL chose to carry forward its risk\n         assessments, including those conducted under the RAPTOR\n         process, even though the assessment process under which they\n         were completed had been determined to be ineffective. As such, it\n         is possible that an asset assessed as low-risk by itself could become\n         vulnerable when used in combination with other components. As\n         noted by the National Institute of Standards and Technology\n         (NIST), it is important that the output of different risk assessment\n         activities be correlated in a meaningful manner to help protect the\n         systems and information.\n\n                                   Security Testing\n\n         LANL did not ensure that it had developed adequate controls over\n         its systems and tested them for effectiveness. Although Federal\n         policies and procedures directed agencies to move towards a\n         continuous monitoring approach, we found that LANL\'s activities\n         were not supportive of this method. In particular, of the three\n         moderate-risk systems we reviewed, including two national\n         security systems, we found that LANL had implemented a rapid\n         reaccreditation process which eliminated the testing of the majority\n         of controls and control enhancements for systems that had no\n         significant changes. LANL took this approach even though it had\n         been nearly 3 years since the systems were last accredited and\n         authorized to operate. NIST required, at minimum, the testing of\n         263 of the 628 (nearly 42 percent) controls and control\n         enhancements for accreditation of moderate-risk systems, and the\n         National Nuclear Security Administration\'s (NNSA) system\n         authorization process required all controls and control\n         enhancements be tested every 3 years to ensure they continue to\n         operate as intended. However, LANL received permission from\n         the Los Alamos Site Office to test only 41 of the 263 (16 percent)\n         controls and control enhancements. We found that controls not\n         fully tested included those related to account management,\n         identification and authentication, incident response, the use of\n         cryptography, protection of information at rest, and software and\n         information integrity.\n\n\n\nPage 2                                                    Details of Finding\n\x0c         In addition, when control testing was conducted, it was not always\n         adequate to ensure that the controls and control enhancements\n         were functioning as designed. Specifically, during a review of\n         eight security plans and the related control testing responses, we\n         identified various responses that either did not fulfill the\n         requirement of the control or indicated that the control was not\n         applicable to the system when in fact it should have been tested. In\n         particular, testing responses included in the documentation\n         reviewed did not always address the control being tested. For\n         example, even though one control enhancement focused on\n         preventing users from introducing removable media into the\n         information system, we found that the results did not address the\n         requirement. Similarly, documented results for another control\n         enhancement revealed that incoming electronic mail was not\n         accepted onto the system even though the purpose of the test was\n         to address controls over removable media. Therefore, the\n         requirement established by the control enhancement was not met\n         by the tests performed by LANL even though it was noted as\n         passing in the system\'s security plan.\n\n         We also noted numerous instances in which only a portion of a\n         control or control enhancement was tested. For example, although\n         one control required the establishment and review of a particular\n         subset of policies and procedures, the documented response to\n         support testing of that control was that the system owner was\n         aware of the control. Based on such general responses, we\n         questioned whether the evaluators of the system could gain\n         adequate assurance that controls were entirely in place and\n         sufficiently working as intended, as required by NIST Special\n         Publication (SP) 800-53, Revision 3, Recommended Security\n         Controls for Federal Information Systems and Organizations. In\n         addition, discrepancies such as these in the testing process could\n         negatively impact the ability of the site to implement an effective\n         continuous monitoring process, as security weaknesses and\n         deficiencies may not be identified in a timely manner, potentially\n         resulting in costly and/or inefficient resolutions.\n\n                             Vulnerability Management\n\n         During our review, we identified a number of technical\n         vulnerabilities on national security and unclassified systems related\n         to patch management and/or controlling access to information\n         systems. In particular, critical and high-risk vulnerabilities were\n         identified during scans of servers supporting the four national\n         security systems we tested. We identified 5 critical and 15 high-\n         risk weaknesses on the 4 systems, including vulnerabilities that\n         were not remediated even though patches had been available since\n\nPage 3                                                    Details of Finding\n\x0c         2008. Many weaknesses identified related to vulnerabilities in\n         various types of software, including software used to support office\n         automation and general productivity. According to LANL policy,\n         unaddressed critical vulnerabilities should have resulted in\n         blockage to the system within 24 hours, and high-risk\n         vulnerabilities should have resulted in a system blockage if the\n         vulnerabilities were not mitigated within 5 days. Although LANL\n         had developed a deviation process for identified vulnerabilities that\n         could not be addressed on a system without causing reliability or\n         other issues, our analysis found that only one of the vulnerabilities\n         had been given a deviation, while the others had not been\n         remediated in a timely manner.\n\n         Similarly, test work performed on unclassified systems supporting\n         our FY 2012 Financial Statement Audit and FISMA revealed a\n         number of other vulnerabilities. As noted in our report, LANL had\n         taken action to remediate certain previously identified\n         vulnerabilities. However, we continued to find numerous\n         weaknesses that were similar in type, frequency and risk level to\n         those identified during the prior year. Specifically:\n\n            \xe2\x80\xa2   Although LANL had initiated steps to address previously\n                identified conditions related to network and enterprise\n                application account management, officials had not\n                performed a review of all network accounts. Furthermore,\n                LANL officials had not established a process to remove\n                inactive user access in a timely manner for the unclassified\n                network and one major application. In preliminary\n                comments on our draft report, the Los Alamos Site Office\n                management noted that actions had been taken by LANL to\n                correct the issue. While the Site Office considered the\n                issue resolved, we were unable to validate the corrective\n                actions that occurred subsequent to our testwork.\n\n            \xe2\x80\xa2   Network servers and devices were configured with default\n                or easily guessed login credentials or required no\n                authentication. For example, 15 web applications and 5\n                servers were configured with default or blank passwords.\n                Additionally, two network servers were found to have\n                configurations to accept connections from any system\n                without the use of authentication or similar access controls.\n                Also, 10 network servers and devices were not\n                appropriately configured and could have allowed\n                unauthorized remote control of affected systems.\n\n\n\n\nPage 4                                                    Details of Finding\n\x0c                              \xe2\x80\xa2   Five applications accepted malicious input data that could\n                                  be used to launch attacks against legitimate application\n                                  users, which could result in unauthorized access to the\n                                  applications.\n\n                              \xe2\x80\xa2   LANL had not fully implemented existing security patch\n                                  management and vulnerability management procedures.\n                                  Specifically, tests of 191 network servers supporting\n                                  LANL\'s financial applications and data or providing core\n                                  network services revealed that 73 (38 percent) were\n                                  running operating systems and client applications without\n                                  current security patches \xe2\x80\x93 all of which were released more\n                                  than 30 days prior to our testing. We also found that\n                                  LANL continued to maintain a significant number of\n                                  operating systems, client applications and other various\n                                  software no longer supported by the vendor.\n\n                           Notably, our performance testing did not identify significant\n                           weaknesses related to LANL\'s implementation of patch\n                           management procedures for desktop systems. While this result\n                           was positive, it remains important for LANL to remediate all\n                           vulnerabilities in a timely manner to help protect against\n                           unauthorized access to systems and data.\n\nPerformance Monitoring The issues identified occurred, in part, because of a lack of\nand Policies and       effective monitoring and oversight of LANL\'s cyber security\nProcedures             program by the Los Alamos Site Office, including approval of\n                       practices that were less rigorous than those required by Federal\n                       directives and inappropriate delegation of security functions. In\n                       addition, in many cases LANL\'s Information Technology\n                       Directorate did not follow policies and procedures established by\n                       NNSA to ensure that Federal requirements for cyber security were\n                       fully implemented.\n\n                                               Monitoring and Oversight\n\n                           The Los Alamos Site Office had not provided adequate monitoring\n                           and oversight of LANL\'s cyber security program. In particular, the\n                           Site Office approved practices that were less rigorous than those\n                           required by Federal directives. For example, the rapid\n                           reaccreditation process approved by the Site Office allowed LANL\n                           to test only a limited number of those controls related to 20 areas\n                           determined to be the most important for ensuring system security,\n                           as identified in the Consensus Audit Guidelines established by\n                           various government and private sector entities. Specifically, the\n                           process approved for LANL\'s moderate-risk systems resulted in\n                           testing just over half of the controls included in the Consensus\n\nPage 5                                                                     Details of Finding\n\x0c         Audit Guidelines. This resulted in the site testing only about 20\n         percent of all required NIST controls and control enhancements.\n         In addition, although an NNSA Headquarters official stated that he\n         did not agree with the rapid reaccreditation process used at the\n         Laboratory, it had been approved by the Authorizing Official \xe2\x80\x93 the\n         individual responsible for formal risk acceptance for LANL\'s\n         systems \xe2\x80\x93 at the Los Alamos Site Office. Site officials believed\n         that the use of the rapid reaccreditation process was justified based\n         on the need to utilize a risk management approach to cyber\n         security. However, as noted in our report, the risk management\n         approach used by the site contained flaws that could impact the\n         ability to adequately consider vulnerabilities and threats to\n         information systems. In addition, even controls generally\n         considered the most critical to protecting information and systems\n         were not always tested. Absent an effective risk management\n         approach and related testing of security controls, it is unlikely that\n         LANL will be able to implement a continuous monitoring process\n         that adequately protects its information systems.\n\n                                Policy and Procedures\n\n         LANL\'s Information Technology Directorate neither followed\n         NNSA guidance for assessing system risk nor fully adhered to\n         Laboratory policy related to vulnerability management. For\n         instance, LANL officials did not always fully identify and detail\n         specific risks to systems as required by the NNSA Program Cyber\n         Security Plan. While system-level risk assessments considered\n         individual security threats such as unauthorized actions by a\n         perpetrator and privileged access vulnerabilities, LANL officials\n         did not correlate how a combination of each of those threats could\n         result in additional risks to the system.\n\n         In addition, officials had not remediated critical and high-risk\n         vulnerabilities within timeframes established in both the Classified\n         and Unclassified Network Continuous Program of Automated\n         Testing (CPAT) Manuals. According to the CPAT Manuals,\n         critical vulnerabilities were required to be mitigated within 24\n         hours. If not remedied within the prescribed timeframe, the\n         Manuals required the systems to be blocked. While high-risk\n         vulnerabilities were permitted 5 days to be mitigated before system\n         blocking, many of the vulnerabilities identified in our report\n         significantly exceeded this timeframe. Furthermore, LANL\'s\n         vulnerability scanning procedures did not require the performance\n         of authenticated network scanning, which could have identified\n         vulnerabilities that may have been exploited by an individual with\n         access to its networks. Authenticated scanning utilizes login\n\n\n\nPage 6                                                     Details of Finding\n\x0c                       names and passwords to simulate a user being on the system and is\n                       an important component to ensuring a complete and effective\n                       vulnerability management program.\n\nInformation Systems    Despite the improvements made at LANL, the upcoming transition\nand Networks at Risk   to the Risk Management Framework, which is heavily reliant on\n                       continuous monitoring, could be hindered due to a lack of\n                       understanding by responsible individuals of the total risks\n                       associated with the systems. Furthermore, without effective\n                       vulnerability scanning and remediation of identified weaknesses,\n                       LANL\'s unclassified and classified networks face a higher than\n                       necessary risk of compromise.\n\n                       Exploitation of vulnerabilities can cause considerable disruptions\n                       to operations and increases the risk to sensitive data and/or\n                       programs. Furthermore, there is an increase of possible theft or\n                       improper disclosure of confidential information. Also, as indicated\n                       in our report on The Department\'s Unclassified Cyber Security\n                       Program \xe2\x80\x93 2011 (DOE/IG-0856, October 2011), recovering from\n                       successful cyber security attacks can be costly and time-\n                       consuming. Therefore, sites must continue to be vigilant in cyber\n                       security protections.\n\nRECOMMENDATIONS        To help improve the effectiveness of LANL\'s cyber security\n                       program, including enhancing the site\'s risk management and\n                       continuous monitoring processes, we recommend that the Under\n                       Secretary for Nuclear Security, in conjunction with the NNSA\n                       Chief Information Officer and the Manager, Los Alamos Site\n                       Office:\n\n                            1. Correct, through implementation of appropriate controls,\n                               the technical vulnerabilities identified in this report;\n\n                            2. Ensure that all Federal cyber security requirements are\n                               met, particularly in the areas of system security control\n                               testing and risk assessments; and,\n\n                            3. Direct LANL to modify internal procedures to include\n                               scanning processes designed to identify all internal\n                               vulnerabilities on the national security and unclassified\n                               computing environments.\n\nMANAGEMENT             NNSA management concurred with each of the report\'s\nREACTION               recommendations and indicated that corrective actions would be\n                       taken to address the issues identified. Management stated that\n                       LANL had taken aggressive measures to develop comprehensive\n\n\n\nPage 7                                             Recommendations and Comments\n\x0c                   cyber security procedures within the last 5 years. In addition,\n                   management commented that it remains committed to maturing its\n                   cyber security processes and expanding the use of risk-based\n                   methodologies to drive more effective and efficient outcomes.\n\nAUDITOR COMMENTS   Management\'s comments and planned corrective actions are\n                   responsive to our recommendations. Management\'s comments are\n                   included in Appendix 3.\n\n\n\n\nPage 8                                                                 Comments\n\x0cAppendix 1\n\nOBJECTIVE     To determine whether the Los Alamos National Laboratory\n              (LANL) effectively managed its cyber security program.\n\nSCOPE         We conducted the audit from January 2012 to February 2013, at\n              LANL in Los Alamos, New Mexico. The scope of the audit was\n              limited to a review of LANL\'s cyber security program.\n              Vulnerability scanning was performed on selected national security\n              and unclassified systems.\n\nMETHODOLOGY   To accomplish the audit objective, we:\n\n                   \xe2\x80\xa2   Reviewed applicable laws and regulations, including\n                       those pertaining to cyber security;\n\n                   \xe2\x80\xa2   Reviewed applicable standards and guidance issued by\n                       the Office of Management and Budget and the National\n                       Institute of Standards and Technology;\n\n                   \xe2\x80\xa2   Reviewed prior reports issued by the Office of Inspector\n                       General;\n\n                   \xe2\x80\xa2   Interviewed officials from LANL and the Los Alamos\n                       Site Office to gain an overall understanding of the cyber\n                       security program;\n\n                   \xe2\x80\xa2   Performed a detailed review of eight systems including\n                       seven national security systems (two moderate-risk and\n                       five high-risk) and one moderate-risk unclassified\n                       system;\n\n                   \xe2\x80\xa2   Performed a detailed analysis of the security plans and\n                       implementation of technical controls; and,\n\n                   \xe2\x80\xa2   Reviewed risk assessments to determine the potential\n                       level of risk.\n\n              We conducted this performance audit in accordance with generally\n              accepted Government auditing standards. Those standards require\n              that we plan and perform the audit to obtain sufficient, appropriate\n              evidence to provide a reasonable basis for our findings and\n              conclusions based on our audit objectives. We believe that the\n              evidence obtained provides a reasonable basis for our findings and\n              conclusions based on our audit objectives. Accordingly, we\n              assessed significant internal controls and LANL\'s implementation\n              of the GPRA Modernization Act of 2010 and determined that it had\n              not established performance measures for cyber security. Because\n              our review was limited, it would not have necessarily disclosed all\n\n\nPage 9                                     Objective, Scope and Methodology\n\x0cAppendix 1 (continued)\n\n                    internal control deficiencies that may have existed at the time of\n                    our evaluation. We relied on computer-processed data to satisfy\n                    our objective. In particular, computer assisted audit tools were\n                    used to perform probes of various networks and drives. We\n                    validated the results of the scans by confirming weaknesses\n                    disclosed with responsible on-site personnel and performed other\n                    procedures to satisfy ourselves as to the reliability and competence\n                    of the data produced by the tests.\n\n                    Management waived an exit conference.\n\n\n\n\nPage 10                                          Objective, Scope and Methodology\n\x0cAppendix 2\n\n                                      PRIOR REPORTS\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2012\n       (DOE/IG-0877, November 2012). The evaluation found that the Department of Energy\n       (Department) had taken steps to address previously identified cyber security weaknesses\n       and enhance its unclassified cyber security program, including taking corrective actions\n       to address 40 of 56 weaknesses identified during our prior-year evaluation. However, our\n       evaluation found that the types and severity of weaknesses continued to persist and\n       remained consistent with prior years. In particular, the weaknesses identified involved\n       problems with access controls, vulnerability management, integrity of web applications,\n       planning for continuity of operations and change control management. These weaknesses\n       occurred, in part, because Department elements had not ensured that cyber security\n       requirements were fully developed and implemented. In addition, programs and sites had\n       not always effectively monitored performance to ensure that appropriate controls were in\n       place.\n\n   \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2011\n       (DOE/IG-0856, October 2011). The evaluation report noted that the Department had\n       taken steps over the past year to address previously identified cyber security weaknesses\n       and enhance its unclassified cyber security program. While these were positive steps,\n       additional action is needed to further strengthen the Department\'s unclassified cyber\n       security program and help address threats to its information and systems. For example,\n       our Fiscal Year (FY) 2011 evaluation disclosed that corrective actions had been\n       completed for only 11 of the 35 cyber security weaknesses identified in our FY 2010\n       review. In addition, we identified numerous weaknesses in the areas of access controls,\n       vulnerability management, web application integrity, contingency planning, change\n       control management and cyber security training. The weaknesses identified occurred, in\n       part, because Departmental elements had not ensured that cyber security requirements\n       included all necessary elements and were properly implemented.\n\n   \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2010\n       (DOE/IG-0843, October 2010). The evaluation disclosed that the Department had taken\n       steps to enhance its unclassified cyber security program, including resolving five of seven\n       cyber security weaknesses identified during our FY 2009 evaluation. While these were\n       positive accomplishments, additional action is needed to further strengthen the\n       Department\'s unclassified cyber security program and help mitigate threats to its\n       information and systems. In this context, our review revealed weaknesses in the areas of\n       access controls, configuration and vulnerability management, web application integrity,\n       and security planning and testing. The weaknesses identified occurred, at least in part,\n       because Departmental elements had not always ensured that cyber security requirements\n       were effectively implemented. In addition, the Department, including the National\n       Nuclear Security Administration, had not adequately monitored cyber security\n       performance.\n\n\n\n\nPage 11                                                                            Prior Reports\n\x0cAppendix 2 (continued)\n\n  \xe2\x80\xa2   Audit Report on Certification and Accreditation of the Department\'s National Security\n      Information Systems (DOE/IG-0800, August 2008). The audit found that additional\n      actions are needed to strengthen the certification and accreditation process and reduce the\n      risk of compromise to these systems. Several problems contributed to the weaknesses\n      identified during our review. In particular, the Department had not fully developed and\n      implemented adequate cyber security policies to ensure that national security information\n      systems were adequately protected. In addition, Federal and contractor officials did not\n      always utilize effective mechanisms to monitor performance of security controls.\n      Without improvements, the Department lacks assurance that its classified data and\n      systems are secure from numerous threats and vulnerabilities. The issues identified\n      during our review were similar to those that contributed to an environment in which the\n      theft of classified information at the Los Alamos National Laboratory (LANL) occurred\n      in 2006. We made several recommendations designed to further enhance security over\n      the Department\'s national security information systems.\n\n  \xe2\x80\xa2   Special Inquiry on Selected Controls over Classified Information at the Los Alamos\n      National Laboratory (OAS-SR-07-01, November 2006). This special inquiry disclosed\n      circumstances surrounding an incident at LANL. Because of cyber security and Privacy\n      Act considerations, detailed findings are provided in a non-public report that includes\n      specific recommendations to strengthen security policy and procedures. We found that\n      the security framework relating to this incident at LANL was seriously flawed.\n      Specifically, our review disclosed that in a number of key areas, security policy was non-\n      existent, applied inconsistently or not followed. Additionally, critical cyber security\n      internal controls and safeguards were not functioning as intended. Further, monitoring by\n      both LANL and Federal officials was inadequate. Our review of matters related to the\n      most recent incident identified a cyber security environment that was inadequate given\n      the sensitivity of operations at LANL. While significant procedural weaknesses were\n      evident, human failure, whether willful or not, was the key component in this matter. In\n      our report, we identified a number of specific actions associated with the latest series of\n      events that were in contravention of recognized security policies and procedures.\n\n\n\n\nPage 12                                                                           Prior Reports\n\x0cAppendix 3\n\n             MANAGEMENT COMMENTS\n\n\n\n\nPage 13                            Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 14                  Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0880\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n     1.   What additional background information about the selection, scheduling, scope, or\n          procedures of the audit or inspection would have been helpful to the reader in\n          understanding this report?\n\n     2.   What additional information related to findings and recommendations could have been\n          included in the report to assist management in implementing corrective actions?\n\n     3.   What format, stylistic, or organizational changes might have made this report\'s overall\n          message more clear to the reader?\n\n     4.   What additional actions could the Office of Inspector General have taken on the issues\n          discussed in this report that would have been helpful?\n\n     5.   Please include your name and telephone number so that we may contact you should\n          we have any questions about your comments.\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'